1 // SPDX-License-Identifier: GPL-2.0
12  * - Deriving per-file encryption keys using the AES-128-ECB based KDF
13  *   (rather than the new method of using HKDF-SHA512)
15  * - Retrieving fscrypt master keys from process-subscribed keyrings
16  *   (rather than the new method of using a filesystem-level keyring)
18  * - Handling policies with the DIRECT_KEY flag set using a master key table
19  *   (rather than the new method of implementing DIRECT_KEY with per-mode keys
20  *    managed alongside the master keys in the filesystem-level keyring)
25 #include <keys/user-type.h>
37  * master key with AES-128-ECB using the nonce as the AES key.  This provides a
39  * nonstandard, non-extensible, doesn't evenly distribute the entropy from the
40  * master key, and is trivially reversible: an attacker who compromises a
41  * derived key can "decrypt" it to get back to the master key, then derive any
44  * The master key must be at least as long as the derived key.  If the master
65 		res = -ENOMEM;  in derive_key_aes()
105 		return ERR_PTR(-ENOMEM);  in find_and_lock_process_key()
112 	down_read(&key->sem);  in find_and_lock_process_key()
118 	payload = (const struct fscrypt_key *)ukp->data;  in find_and_lock_process_key()
120 	if (ukp->datalen != sizeof(struct fscrypt_key) ||  in find_and_lock_process_key()
121 	    payload->size < 1 || payload->size > FSCRYPT_MAX_KEY_SIZE) {  in find_and_lock_process_key()
124 			     key->description);  in find_and_lock_process_key()
128 	if (payload->size < min_keysize) {  in find_and_lock_process_key()
131 			     key->description, payload->size, min_keysize);  in find_and_lock_process_key()
139 	up_read(&key->sem);  in find_and_lock_process_key()
141 	return ERR_PTR(-ENOKEY);  in find_and_lock_process_key()
144 /* Master key referenced by DIRECT_KEY policy */
158 		fscrypt_destroy_prepared_key(dk->dk_sb, &dk->dk_key);  in free_direct_key()
165 	if (!refcount_dec_and_lock(&dk->dk_refcount, &fscrypt_direct_keys_lock))  in fscrypt_put_direct_key()
167 	hash_del(&dk->dk_node);  in fscrypt_put_direct_key()
175  * is returned with elevated refcount, and 'to_insert' is freed if non-NULL.  If
176  * not found, 'to_insert' is inserted and returned if it's non-NULL; otherwise
194 	memcpy(&hash_key, ci->ci_policy.v1.master_key_descriptor,  in find_or_insert_direct_key()
199 		if (memcmp(ci->ci_policy.v1.master_key_descriptor,  in find_or_insert_direct_key()
200 			   dk->dk_descriptor, FSCRYPT_KEY_DESCRIPTOR_SIZE) != 0)  in find_or_insert_direct_key()
202 		if (ci->ci_mode != dk->dk_mode)  in find_or_insert_direct_key()
204 		if (!fscrypt_is_key_prepared(&dk->dk_key, ci))  in find_or_insert_direct_key()
206 		if (crypto_memneq(raw_key, dk->dk_raw, ci->ci_mode->keysize))  in find_or_insert_direct_key()
209 		refcount_inc(&dk->dk_refcount);  in find_or_insert_direct_key()
215 		hash_add(fscrypt_direct_keys, &to_insert->dk_node, hash_key);  in find_or_insert_direct_key()
220 /* Prepare to encrypt directly using the master key in the given mode */
235 		return ERR_PTR(-ENOMEM);  in fscrypt_get_direct_key()
236 	dk->dk_sb = ci->ci_inode->i_sb;  in fscrypt_get_direct_key()
237 	refcount_set(&dk->dk_refcount, 1);  in fscrypt_get_direct_key()
238 	dk->dk_mode = ci->ci_mode;  in fscrypt_get_direct_key()
239 	err = fscrypt_prepare_key(&dk->dk_key, raw_key, ci);  in fscrypt_get_direct_key()
242 	memcpy(dk->dk_descriptor, ci->ci_policy.v1.master_key_descriptor,  in fscrypt_get_direct_key()
244 	memcpy(dk->dk_raw, raw_key, ci->ci_mode->keysize);  in fscrypt_get_direct_key()
253 /* v1 policy, DIRECT_KEY: use the master key directly */
262 	ci->ci_direct_key = dk;  in setup_v1_file_key_direct()
263 	ci->ci_enc_key = dk->dk_key;  in setup_v1_file_key_direct()
278 	derived_key = kmalloc(ci->ci_mode->keysize, GFP_KERNEL);  in setup_v1_file_key_derived()
280 		return -ENOMEM;  in setup_v1_file_key_derived()
282 	err = derive_key_aes(raw_master_key, ci->ci_nonce,  in setup_v1_file_key_derived()
283 			     derived_key, ci->ci_mode->keysize);  in setup_v1_file_key_derived()
296 	if (ci->ci_policy.v1.flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY)  in fscrypt_setup_v1_file_key()
305 	const struct super_block *sb = ci->ci_inode->i_sb;  in fscrypt_setup_v1_file_key_via_subscribed_keyrings()
311 					ci->ci_policy.v1.master_key_descriptor,  in fscrypt_setup_v1_file_key_via_subscribed_keyrings()
312 					ci->ci_mode->keysize, &payload);  in fscrypt_setup_v1_file_key_via_subscribed_keyrings()
313 	if (key == ERR_PTR(-ENOKEY) && sb->s_cop->legacy_key_prefix) {  in fscrypt_setup_v1_file_key_via_subscribed_keyrings()
314 		key = find_and_lock_process_key(sb->s_cop->legacy_key_prefix,  in fscrypt_setup_v1_file_key_via_subscribed_keyrings()
315 						ci->ci_policy.v1.master_key_descriptor,  in fscrypt_setup_v1_file_key_via_subscribed_keyrings()
316 						ci->ci_mode->keysize, &payload);  in fscrypt_setup_v1_file_key_via_subscribed_keyrings()
321 	err = fscrypt_setup_v1_file_key(ci, payload->raw);  in fscrypt_setup_v1_file_key_via_subscribed_keyrings()
322 	up_read(&key->sem);  in fscrypt_setup_v1_file_key_via_subscribed_keyrings()